chase.com not secure, but prompts for login

[mbeiley2011]

The website www.chase.com is not fully secure, yet they ask their customers to enter their login username and password on this page. This is very bad security policy, and subjects all the chase customers to having their login credentials stolen.

If you go to:

https://www.chase.com

it should be showing all secure content, and most web browsers will show you this with a lock symbol. If you check in IE9 or Chrome they both indicate the problem. Most likely they have some image on their home page not secure, but the end user cannot easily tell what is secure and what is not, so they can't be sure their login credentials are safe. I notified Chase of this on Saturday when I first noticed it, and yet still today it is broken. It seems crazy in this day and age that a large bank would be so lax with security. Please see the attached screen shots showing the problem.

[ronjor]

Enter an incorrect password, hit enter and see if it takes you to the secure page.

[mbeiley2011]

Hi ronjor,

Yes, their re-directed logon page is fully secure, and that is what I've been using. I was just trying to point out the problem. If a bank can't demonstrate better security than this on their homepage, it is scary to imagine how safely they treat confidential data internally.

[ronjor]

It is sloppy. There are many sites that are like this.

[dawkholiday]

When you visit the site do you look up Chase.com through a search engine or use a bookmark/favorite? This information should have been given to you if you asked them. They explained that to me last night. Did you talk to customer service about it? What did the CS say?

[mbeiley2011]

Hi dawkholiday,

The problem is the same no matter how you visit their site (bookmark, type it in the address bar, follow a link...). Their home page is providing both encrypted and non-encrypted content, thus the full page is not encrypted. It isn't obvious to the end user what is and isn't encrypted, so this is a bad practice, and doesn't give the user confidence their login credentials will be transmitted encrypted. Different browsers show this problem to the end user in different ways. In IE, the lock is not present. In Chrome the lock icon changes to have a warning sign on it, which you can click on, and they'll explain the problem.

I did send them an email through my account, but the answer was basically to call them. I view this as their problem, and wasn't going to spend more of my time trying to explain what they should already know. It baffles me that a bank as large as Chase can't figure out these basic security issues.

The work-around is to enter a bogus password, and you'll be re-directed to a dedicated login page that is fully encrypted.

[dawkholiday]

could it be IE 9? im running IE 8 and get my lock. I spoke with Chase and they mentioned that they are not fully operational when running on IE 9. not exact words but its how i phrase it lol. idk. just trying to offer a differ view. I mainly use Firefox though and have had no problems. Just booted up IE 8 to test it out and refuse to bump up to 9 just because I hate microsoft.

Quote:

Originally Posted by mbeiley2011

Hi dawkholiday,

The problem is the same no matter how you visit their site (bookmark, type it in the address bar, follow a link...). Their home page is providing both encrypted and non-encrypted content, thus the full page is not encrypted.

I beleive you are right. When I enter credentials (randomly typed fake) I get two ip addresses logged. One secure and one unsecure:

port 443: 159.53.60.105

port 80: 199.16.83.72

this was with IE9 so dawkholiday may have a point about the browser used.

[CloneRanger]

This is what i found. http://www.chase.com gets immediately redirected to https://www.chase.com



Enter incorrect details &



Looks worse to me ? Wierd !

I just tried royalbank login using IE9 (the one I deal with) and it's all secure connections. As ronjor pointed out chase appears to be sloppy so no excuses imo not to be ready for IE9.

EDIT

try a search on "Chase login" and go with the first result. You should get -https://chaseonline.chase.com/

[CloneRanger]

@ wat0114

Don't know about IE, but with FF the padlock showed solid gold on both those "supposedly" secure www's



So on it's own it might be a true indication of FULL security ! That's why i Love calomel

Quote:

Originally Posted by CloneRanger

@ wat0114

Don't know about IE, but with FF the padlock showed solid gold on both those "supposedly" secure www's

I got redirected like you, CloneRanger, but no padlock showed until after I attempted to sign in. It's gold when I hover over it, and same thing with royalbank.

Did you try: -https://chaseonline.chase.com/ ?

[CloneRanger]

Just tried https://chaseonline.chase.com for you EXACTLY as before. The padlock showed solid gold, even though neither were 100% secure via Calomel ?